The new California Consumer Privacy Act (CCPA) took effect on January 1, 2020 and will have a significant impact to companies that have any business dealings with California residents. The new legislature is designed to provide a way to secure new privacy rights for California consumers. Those entities that do not comply could face actions by the California Attorney General for civil penalties of $2,500 per violation, or up to $7,500 per violation if intentional. As such, companies should began getting familiar with the CCPA so they are prepared to avoid such penalties.
Who Does the Act Apply to?
Businesses that have one or more of the following must comply with this Act:
- Has gross annual revenues greater than $25 million;
- Annually buys, receives, or sells the personal information of 50,000 or more consumers, households, or devices;
- Derives 50 percent or more of annual revenues from selling consumers’ personal information.
What is considered as Personal Information?
Personal information that identifies, relates to describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household are covered by the Act. Therefore, such information would also include e-mails, IP addresses, phone numbers, MAC addresses of devices, etc. Personal information related to certain publicly available government records is not included. Additionally, certain personal information covered by other sector specific legislation is also excluded from coverage scope (e.g. Gramm-Leach-Bliley Act, etc.).
What is in the Act?
This Act does not directly impose security requirements for companies. However, it does establish a right of action for certain data breaches that result from violations of a business’s duty to implement and maintain reasonable security practices and procedures appropriate to the risk arising from existing California law. In addition, the Act specifically grants California consumers four rights as follows:
- Right to know – Consumers should be able to request and know what personal information is collected, used, shared or sold, both as to the categories and specific pieces of personal information.
- Right to delete – Consumers should be able to request businesses and by extension, a business’s service providers to delete their personal information stored by the entity.
- Rights to opt-out – Consumers should be able to direct a business that sells personal information to stop selling that information. Children under the age of 16 must provide opt in consent, with a parent or guardian consenting for children under 13.
- Rights to non-discriminate – Consumers should not be discriminated in terms of price or service when a consumer exercises a privacy right under CCPA.
What new requirements does the Act impose?
Due to this Act, companies need to create new processes and procedures to address the four new consumer rights. Companies must have processes specifically to address the following:
- Notice – Companies subject to the CCPA must provide notice to consumers at or before data collection.
- Opt-out requests – Companies must create procedures to respond to requests from consumers to opt-out, know, and delete.
- “Do Not Sell My Info” Button – For requests to opt-out, businesses must provide a “Do Not Sell My Info” link on their website or mobile app to make such requests.
- Timely Response to Requests – Companies must respond to requests from consumers to know, delete, and opt-out within specific time frames (45 days after receipt, potentially extendable once for another 45 or 90 days on customer notification)
- Usable format – Companies must provide information requested by the consumer portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit this information to another entity without hindrance. Companies may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.
- User-enables privacy settings – Companies must treat user-enabled privacy settings that signal a consumer’s choice to opt-out as a validly submitted opt-out request.
- Verify Identity of Requestor – Companies must verify the identity of consumers who make requests to know and to delete, whether or not the consumer maintains a password-protected account with the business.
- If a Company is unable to verify a request, it may deny the request, but must comply to the greatest extent it can. For example, it must treat a request to delete as a request to opt-out.
- Disclosure of incentives – Companies must disclose financial incentives offered in exchange for the retention or sale of a consumer’s personal information and explain how they calculate the value of the personal information. Companies must also explain how the incentive is permitted under the CCPA.
- Maintain Records – Companies must maintain records of requests and how they responded for 24 months in order to demonstrate their compliance.
- In addition, companies that collect, buy, or sell the personal information of more than 4 million consumers have additional record-keeping and training obligations.
What are my Next steps?
CCPA could significantly impact various companies. The best next steps for companies to begin implementing CCPA compliance standards are as follows:
- Understand how data is being held and managed in your organization
- Post notices online regarding what data is collected and privacy policies
- Have a minimum method of accepting requests
- Have procedures in place to process timely requests once they are received
- Develop an accountability process in your team for CCPA compliance
For further questions regarding how CCPA will impact your organization, please reach out to your Larson & Company advisor.